<!DOCTYPE html>
<html lang="en-US">
<head>
	
<style>.async-hide { opacity: 0 !important} </style> <script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>

<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>





    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
     
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
     
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	
	<title>HiddenWasp Malware Stings Targeted Linux Systems - Intezer</title>
	<meta name="description" content="Intezer has discovered a new, sophisticated malware named HiddenWasp, targeting Linux systems. Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity, but rather it is a trojan purely used for targeted remote control." />
	<link rel="canonical" href="https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="Intezer has discovered a new, sophisticated malware named HiddenWasp, targeting Linux systems. Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity, but rather it is a trojan purely used for targeted remote control." />
	<meta property="og:url" content="https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2019-05-29T13:36:41+00:00" />
	<meta property="article:modified_time" content="2021-03-22T13:38:40+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/insect-3270233_960_720.jpg" />
	<meta property="og:image:width" content="960" />
	<meta property="og:image:height" content="614" />
	<meta property="og:image:type" content="image/jpeg" />
	<meta name="author" content="Ignacio Sanmillan" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@ulexec" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Ignacio Sanmillan" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="13 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://www.facebook.com/IntezerLabs/","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/#/schema/logo/image/","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#/schema/logo/image/"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#primaryimage","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/insect-3270233_960_720.jpg","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/insect-3270233_960_720.jpg","width":960,"height":614},{"@type":"WebPage","@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#webpage","url":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/","name":"HiddenWasp Malware Stings Targeted Linux Systems - Intezer","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#primaryimage"},"datePublished":"2019-05-29T13:36:41+00:00","dateModified":"2021-03-22T13:38:40+00:00","description":"Intezer has discovered a new, sophisticated malware named HiddenWasp, targeting Linux systems. Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity, but rather it is a trojan purely used for targeted remote control.","breadcrumb":{"@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"HiddenWasp Malware Stings Targeted Linux Systems"}]},{"@type":"Article","@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#article","isPartOf":{"@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#webpage"},"author":{"name":"Ignacio Sanmillan","@id":"https://www.intezer.com/#/schema/person/c29c578db5301424e699cdf223d9f2a3"},"headline":"HiddenWasp Malware Stings Targeted Linux Systems","datePublished":"2019-05-29T13:36:41+00:00","dateModified":"2021-03-22T13:38:40+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#webpage"},"wordCount":2674,"commentCount":0,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/insect-3270233_960_720.jpg","keywords":["code reuse","HiddenWasp","Linux","malware"],"articleSection":["Linux","Malware Analysis","Research"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#respond"]}]},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/c29c578db5301424e699cdf223d9f2a3","name":"Ignacio Sanmillan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/10b456cb056c4459eafd1521de56cd73?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/10b456cb056c4459eafd1521de56cd73?s=96&d=mm&r=g","caption":"Ignacio Sanmillan"},"description":"Nacho is a security researcher specializing in reverse engineering and malware analysis. Nacho plays a key role in Intezer's malware hunting and investigation operations, analyzing and documenting new undetected threats. Some of his latest research involves detecting new Linux malware and finding links between different threat actors. Nacho is an adept ELF researcher, having written numerous papers and conducting projects implementing state-of-the-art obfuscation and anti-analysis techniques in the ELF file format.","sameAs":["https://twitter.com/ulexec"],"url":"https://www.intezer.com/author/nacho/"}]}</script>
	


<link rel='dns-prefetch' href='//static.addtoany.com' />
<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/6.0.1/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='prismatic-blocks-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/css/styles-blocks.css?ver=a64767dca95350331dd63d1543147965' media='all' />
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/6.0.1/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/6.0.1/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.6' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=a64767dca95350331dd63d1543147965' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=a64767dca95350331dd63d1543147965' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1658608774' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.10' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.10' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.16' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.2' media='all' />
<link   rel='preload' as='style' data-wpacu-preload-it-async='1' onload="this.onload=null;this.rel='stylesheet'" id='wpacu-preload-jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=11.2-a.5' media='all' />






<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/4440" />			
			
			
			<style>img#wpstats{display:none}</style>
					<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
				                <style>
                    
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					.asl_w_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchlite'].asl_m {
						width: 100%;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=affedbe262" />



</head>

<body class="post-template-default single single-post postid-4440 single-format-standard wp-custom-logo hiddenwasp-malware-targeting-linux-systems elementor-default elementor-kit-8921">
<script> (function(ss,ex){ window.ldfdr=window.ldfdr||function(){(ldfdr._q=ldfdr._q||[]).push([].slice.call(arguments));}; (function(d,s){ fs=d.getElementsByTagName(s)[0]; function ce(src){ var cs=d.createElement(s); cs.src=src; cs.async=1; fs.parentNode.insertBefore(cs,fs); }; ce('https://sc.lfeeder.com/lftracker_v1_'+ss+(ex?'_'+ex:'')+'.js'); })(document,'script'); })('YEgkB8lPLLw8ep3Z'); </script>
<script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
<script   type='text/javascript' id='addtoany-core-js-before'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
</script>
<script   type='text/javascript' async src='https://static.addtoany.com/menu/page.js' id='addtoany-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=a64767dca95350331dd63d1543147965' id='jquery-js'></script>
<script   data-wpacu-apply-media-query='screen and (min-width: 1024px)' type='text/javascript' async wpacu-addtoany-jquery-src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<script>
function wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var) {
    if (wpacu_addtoany_jquery_match_media_var.matches) {
        var wpacuSrcAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
        document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('src', wpacuSrcAttr); 
    }
}
try { var wpacu_addtoany_jquery_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var); wpacu_addtoany_jquery_match_media_var.addListener(wpacu_addtoany_jquery_match_media); }
catch (wpacuError) {
  	var wpacuHrefAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
    document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<script type='text/javascript' id='media-video-jwt-bridge-js-extra'>
/* <![CDATA[ */
var videopressAjax = {"ajaxUrl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","bridgeUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/jetpack\/modules\/videopress\/js\/videopress-token-bridge.js","post_id":"4440"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/modules/videopress/js/videopress-token-bridge.js?ver=6' id='media-video-jwt-bridge-js'></script>
<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentId", "blog-post"]);
			</script>
<script id="wpacu-preload-async-css-fallback">
/*! LoadCSS. [c]2020 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/
(function(w){"use strict";var wpacuLoadCSS=function(href,before,media,attributes){var doc=w.document;var ss=doc.createElement('link');var ref;if(before){ref=before}else{var refs=(doc.body||doc.getElementsByTagName('head')[0]).childNodes;ref=refs[refs.length-1]}
var sheets=doc.styleSheets;if(attributes){for(var attributeName in attributes){if(attributes.hasOwnProperty(attributeName)){ss.setAttribute(attributeName,attributes[attributeName])}}}
ss.rel="stylesheet";ss.href=href;ss.media="only x";function ready(cb){if(doc.body){return cb()}
setTimeout(function(){ready(cb)})}
ready(function(){ref.parentNode.insertBefore(ss,(before?ref:ref.nextSibling))});var onwpaculoadcssdefined=function(cb){var resolvedHref=ss.href;var i=sheets.length;while(i--){if(sheets[i].href===resolvedHref){return cb()}}
setTimeout(function(){onwpaculoadcssdefined(cb)})};function loadCB(){if(ss.addEventListener){ss.removeEventListener("load",loadCB)}
ss.media=media||"all"}
if(ss.addEventListener){ss.addEventListener("load",loadCB)}
ss.onwpaculoadcssdefined=onwpaculoadcssdefined;onwpaculoadcssdefined(loadCB);return ss};if(typeof exports!=="undefined"){exports.wpacuLoadCSS=wpacuLoadCSS}else{w.wpacuLoadCSS=wpacuLoadCSS}}(typeof global!=="undefined"?global:this))
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-725468766"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'AW-725468766');
</script>


<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

    <div class="background-pop"></div>
    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" width="100" height="25" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Product</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us/categories/360002970919-Intezer-Analyze-Malware-Analysis-Platform">Docs</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Start Now for Free"></span>&nbsp;Start Now for Free</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Start Now for Free"></span>&nbsp;Start Now for Free</a></li>
</ul>                  
                </div>

        </nav>
     </header>
<div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="[]" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap" data-name="FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap" data-name="LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap" data-name="JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap" data-name="Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap" data-name="EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap" data-name="mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap" data-name="mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap" data-name="mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>



<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/"
  },
  "headline": "HiddenWasp Malware Stings Targeted Linux Systems",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/insect-3270233_960_720-960x475.jpg",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2019-05-29"
}
</script>





	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">HiddenWasp Malware Stings Targeted Linux Systems</h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/01/eJRF6CeP_400x400-60x60.jpg" class="user-photo"><div class="user-bio"><span class="author-light">Written by </span><span class="author-name"> Ignacio Sanmillan</span><span class="author-date"> - 29 May 2019</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/insect-3270233_960_720-960x475.jpg" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f25657-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/#wpcf7-f25657-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="25657" />
<input type="hidden" name="_wpcf7_version" value="5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f25657-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="[]" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:25657,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div id ="email-field" class="cf-field cf-field-left">
<span class="wpcf7-form-control-wrap" data-name="EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Business Email" /></span>
</div>
<div class="cf-field cf-field-left cf-fname">
<span class="wpcf7-form-control-wrap" data-name="FullName"><input type="text" name="FullName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="Full Name" /></span>
</div>
<div class="cf-field cf-company">
<span class="wpcf7-form-control-wrap" data-name="Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="wpcf7-form-control-wrap" data-name="JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field">
<span class="wpcf7-form-control-wrap" data-name="mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap" data-name="mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="side-blog-share"">Share article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/" data-a2a-title="HiddenWasp Malware Stings Targeted Linux Systems"><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhiddenwasp-malware-targeting-linux-systems%2F&amp;linkname=HiddenWasp%20Malware%20Stings%20Targeted%20Linux%20Systems" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhiddenwasp-malware-targeting-linux-systems%2F&amp;linkname=HiddenWasp%20Malware%20Stings%20Targeted%20Linux%20Systems" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhiddenwasp-malware-targeting-linux-systems%2F&amp;linkname=HiddenWasp%20Malware%20Stings%20Targeted%20Linux%20Systems" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhiddenwasp-malware-targeting-linux-systems%2F&amp;linkname=HiddenWasp%20Malware%20Stings%20Targeted%20Linux%20Systems" title="Reddit" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/reddit.png" alt="Reddit"></a><a class="a2a_button_copy_link" href="https://www.addtoany.com/add_to/copy_link?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhiddenwasp-malware-targeting-linux-systems%2F&amp;linkname=HiddenWasp%20Malware%20Stings%20Targeted%20Linux%20Systems" title="Copy Link" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/link.png" alt="Copy Link"></a></div></div><div class="side-blog-btn side-blog-btn-fancy"><a class="blog-side-join blog-side-cta" href="https://analyze.intezer.com/"><img src="/wp-content/uploads/2022/03/intezer-cube.png"/><h3>Get Free Account</h3><div class="join-btn">Join Now</div></a></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/">Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware &#x26a1;</a>
                    </h4>
				                    <span class="post-excerpt">Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins...</span>	
                    <a href="https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/">OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow</a>
                    </h4>
				                    <span class="post-excerpt">Linux is a popular operating system for servers and cloud infrastructures, and as such it’s...</span>	
                    <a href="https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/alert-triage/the-zero-trust-approach-for-your-alert-haystack/">A Straw-by-Straw Analysis: The Zero-Trust Approach for Your Alert Haystack</a>
                    </h4>
				                    <span class="post-excerpt">One of the greatest challenges security operations center (SOC) teams face is the high volume...</span>	
                    <a href="https://www.intezer.com/blog/alert-triage/the-zero-trust-approach-for-your-alert-haystack/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">
<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      //onInitialized:setDots,
      //onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content"><p><strong>Overview</strong></p>
<p><strong>•</strong> Intezer has discovered a new, sophisticated malware that we have named “<strong>HiddenWasp</strong>”, targeting <strong>Linux systems</strong>.</p>
<p><strong>•</strong> The malware is still active and has a zero-detection rate in all major anti-virus systems.</p>
<p><strong>•</strong> Unlike common <a href="https://www.intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/">Linux malware</a>, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for <strong>targeted remote control</strong>.</p>
<p><strong>•</strong> Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.</p>
<p><strong>•</strong> HiddenWasp authors have adopted a large amount of code from various publicly available open-source malware, such as <strong>Mirai</strong> and the <strong>Azazel rootkit</strong>. In addition, there are some similarities between this malware and other <strong>Chinese malware families</strong>, however the attribution is made with low confidence.</p>
<p><strong>•</strong> We have detailed our <strong>recommendations</strong> for <strong>preventing</strong> <strong>and</strong> <strong>responding</strong> <strong>to this threat</strong>.</p>
<p><strong>1. Introduction</strong></p>
<p>Although the Linux threat ecosystem is crowded with IoT DDoS botnets and crypto-mining malware, it is not very common to spot trojans or backdoors in the wild.</p>
<p>Unlike Windows malware, Linux malware authors do not seem to invest too much effort writing their implants. In an open-source ecosystem there is a high ratio of publicly available code that can be copied and adapted by attackers.</p>
<p>In addition, Anti-Virus solutions for Linux tend to not be as resilient as in other platforms. Therefore, threat actors targeting Linux systems are less concerned about implementing excessive evasion techniques since even when reusing extensive amounts of code, threats can relatively manage to stay under the radar.</p>
<p>Nevertheless, malware with strong evasion techniques do exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilize strong evasion techniques and can be easily adapted by attackers.</p>
<p>We believe this fact is alarming for the security community since many implants today have very low detection rates, making these threats difficult to detect and respond to.</p>
<p>We have discovered further undetected Linux malware that appear to be enforcing advanced evasion techniques with the use of rootkits to leverage trojan-based implants.</p>
<p>In this blog we will present a <strong>technical analysis</strong> of each of the different components that this new malware, HiddenWasp, is composed of. We will also highlight interesting code-reuse connections that we have observed to several open-source malware.</p>
<p>The following images are screenshots from VirusTotal of the newer undetected malware samples discovered:</p>
<p><img class="alignnone wp-image-4401" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-1.png" alt="technical analysis" width="932" height="468" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-1.png 932w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-1-300x151.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-1-768x386.png 768w " sizes="(max-width: 932px) 100vw, 932px" /></p>
<p><strong>2. Technical Analysis</strong></p>
<p>When we came across these samples we noticed that the majority of their code was unique:</p>
<p><a href="https://analyze.intezer.com/#/analyses/2d35f5f3-5be7-4df8-b125-c08b76d17616" target="_blank" rel="noopener noreferrer"><img loading="lazy" class="alignnone wp-image-4418" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-084115_1215x354_scrot.png" data-slb-group="post-images" alt="technical analysis" width="1215" height="354" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084115_1215x354_scrot.png 1215w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084115_1215x354_scrot-300x87.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084115_1215x354_scrot-1024x298.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084115_1215x354_scrot-768x224.png 768w " sizes="(max-width: 1215px) 100vw, 1215px" /></a></p>
<p><a href="https://analyze.intezer.com/#/analyses/3379a0d7-2fd9-46b0-90f8-86200a67c0fd" target="_blank" rel="noopener noreferrer"><img loading="lazy" class="alignnone wp-image-4434" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-084133_1201x421_scrot.png" data-slb-group="post-images" alt="technical analysis" width="1201" height="421" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084133_1201x421_scrot.png 1201w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084133_1201x421_scrot-300x105.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084133_1201x421_scrot-1024x359.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084133_1201x421_scrot-768x269.png 768w " sizes="(max-width: 1201px) 100vw, 1201px" /></a></p>
<p>Similar to the recent Winnti Linux variants reported by <a href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" target="_blank" rel="noopener nofollow noreferrer">Chronicle</a>, the infrastructure of this malware is composed of a user-mode rootkit, a trojan and an initial deployment script. We will cover each of the three components in this post, analyzing them and their interactions with one another.</p>
<p><strong>2.1 Initial Deployment Script:</strong></p>
<p>When we spotted these undetected files in VirusTotal it seemed that among the uploaded artifacts there was a bash script along with a trojan implant binary.</p>
<p><img loading="lazy" class="alignnone wp-image-4402" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-084551_1082x412_scrot.png" alt="Initial Deployment Script" width="1082" height="412" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084551_1082x412_scrot.png 1082w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084551_1082x412_scrot-300x114.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084551_1082x412_scrot-1024x390.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-084551_1082x412_scrot-768x292.png 768w " sizes="(max-width: 1082px) 100vw, 1082px" /></p>
<p>We observed that these files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as <a href="http://www.china-forensic.com/ccfc/en/" target="_blank" rel="noopener nofollow noreferrer">Shen Zhou Wang Yun Information Technology Co., Ltd</a>.</p>
<p>Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong.</p>
<p><img loading="lazy" class="alignnone wp-image-4432" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-10.png" alt="ThinkDream" width="538" height="627" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-10.png 538w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-10-257x300.png 257w " sizes="(max-width: 538px) 100vw, 538px" /></p>
<p>Among the uploaded files, we observed that one of the files was a bash script meant to deploy the malware itself into a given compromised system, although it appears to be for testing purposes:</p>
<p><img loading="lazy" class="alignnone wp-image-4416" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-085049_997x237_scrot.png" alt="ThinkDream" width="997" height="237" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085049_997x237_scrot.png 997w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085049_997x237_scrot-300x71.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085049_997x237_scrot-768x183.png 768w " sizes="(max-width: 997px) 100vw, 997px" /></p>
<p>Thanks to this file we were able to download further artifacts not present in VirusTotal related to this campaign. This script will start by defining a set of variables that would be used throughout the script.</p>
<p><img loading="lazy" class="alignnone wp-image-4409" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-085725_713x536_scrot.png" alt="VirusTotal" width="713" height="536" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085725_713x536_scrot.png 713w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085725_713x536_scrot-300x226.png 300w " sizes="(max-width: 713px) 100vw, 713px" /></p>
<p>Among these variables we can spot the credentials of a user named ‘sftp’, including its hardcoded password. This user seems to be created as a means to provide initial persistence to the compromised system:</p>
<p><img loading="lazy" width="1044" height="268" class="wp-image-4396" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-085815_1044x268_scrot.png" alt="2019 05 23 085815 1044x268 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085815_1044x268_scrot.png 1044w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085815_1044x268_scrot-300x77.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085815_1044x268_scrot-1024x263.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-085815_1044x268_scrot-768x197.png 768w " sizes="(max-width: 1044px) 100vw, 1044px" /></p>
<p>Furthermore, after the system’s user account has been created, the script proceeds to clean the system as a means to update older variants if the system was already compromised:</p>
<p><img loading="lazy" width="563" height="378" class="wp-image-4431" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-090036_563x378_scrot.png" alt="2019 05 23 090036 563x378 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-090036_563x378_scrot.png 563w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-090036_563x378_scrot-300x201.png 300w " sizes="(max-width: 563px) 100vw, 563px" /></p>
<p>The script will then proceed to download a tar compressed archive from a download server according to the architecture of the compromised system. This tarball will contain all of the components from the malware, containing the rootkit, the trojan and an initial deployment script:</p>
<p><img loading="lazy" width="818" height="570" class="wp-image-4403" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-090228_818x570_scrot.png" alt="2019 05 23 090228 818x570 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-090228_818x570_scrot.png 818w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-090228_818x570_scrot-300x209.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-090228_818x570_scrot-768x535.png 768w " sizes="(max-width: 818px) 100vw, 818px" /></p>
<p>After malware components have been installed, the script will then proceed to execute the trojan:</p>
<p><img loading="lazy" width="793" height="511" class="wp-image-4408" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-090327_793x511_scrot.png" alt="2019 05 23 090327 793x511 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-090327_793x511_scrot.png 793w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-090327_793x511_scrot-300x193.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-090327_793x511_scrot-768x495.png 768w " sizes="(max-width: 793px) 100vw, 793px" /></p>
<p>We can see that the main trojan binary is executed, the rootkit is added to LD_PRELOAD path and another series of environment variables are set such as the ‘I_AM_HIDDEN’. We will cover throughout this post what the role of this environment variable is. To finalize, the script attempts to install reboot persistence for the trojan binary by adding it to /etc/rc.local.</p>
<p>Within this script we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit and a deployment script for x86 and x86_64 builds accordingly.</p>
<p><img loading="lazy" class="alignnone wp-image-4395" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-24-195845_1152x222_scrot.png" alt="deployment script for x86 and x86_64 builds accordingly." width="1152" height="222" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-195845_1152x222_scrot.png 1152w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-195845_1152x222_scrot-300x58.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-195845_1152x222_scrot-1024x197.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-195845_1152x222_scrot-768x148.png 768w " sizes="(max-width: 1152px) 100vw, 1152px" /></p>
<p>The deployment script has interesting insights of further features that the malware implements, such as the introduction of a new environment variable ‘HIDE_THIS_SHELL’:</p>
<p><img loading="lazy" width="819" height="467" class="wp-image-4421" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-144740_819x467_scrot.png" alt="2019 05 23 144740 819x467 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-144740_819x467_scrot.png 819w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-144740_819x467_scrot-300x171.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-144740_819x467_scrot-768x438.png 768w " sizes="(max-width: 819px) 100vw, 819px" /></p>
<p>We found some of the environment variables used in a open-source rootkit known as <a href="https://github.com/chokepoint/azazel/search?q=HIDE_THIS_SHELL&amp;unscoped_q=HIDE_THIS_SHELL" target="_blank" rel="noopener nofollow noreferrer">Azazel</a>.</p>
<p><img loading="lazy" width="528" height="38" class="wp-image-4425" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-24-053134_528x38_scrot.png" alt="2019 05 24 053134 528x38 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-053134_528x38_scrot.png 528w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-053134_528x38_scrot-300x22.png 300w " sizes="(max-width: 528px) 100vw, 528px" /></p>
<p>It seems that this actor changed the default environment variable from Azazel, that one being HIDE_THIS_SHELL for I_AM_HIDDEN. We have based this conclusion on the fact that the environment variable HIDE_THIS_SHELL was not used throughout the rest of the components of the malware and it seems to be residual remains from Azazel original code.</p>
<p>The majority of the code from the rootkit implants involved in this malware infrastructure are noticeably different from the original Azazel project. Winnti Linux variants are also known to have reused code from this open-source project.</p>
<p><strong>2.2 The Rootkit:</strong></p>
<p>The rootkit is a user-space based rootkit enforced via LD_PRELOAD linux mechanism.</p>
<p>It is delivered in the form of an ET_DYN stripped ELF binary.</p>
<p>This shared object has an DT_INIT dynamic entry. The value held by this entry is an address that will be executed once the shared object gets loaded by a given process:</p>
<p><img loading="lazy" class="alignnone wp-image-4456 size-full" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-29-164708_842x473_scrot.png" alt="The Rootkit" width="842" height="473" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-29-164708_842x473_scrot.png 842w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-29-164708_842x473_scrot-300x169.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-29-164708_842x473_scrot-768x431.png 768w " sizes="(max-width: 842px) 100vw, 842px" /></p>
<p>Within this function we can see that eventually control flow falls into a function in charge to resolve a set of dynamic imports, which are the functions it will later hook, alongside with decoding a series of strings needed for the rootkit operations.</p>
<p><img loading="lazy" width="532" height="527" class="wp-image-4407" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-4.png" alt="pasted image 0 4" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-4.png 532w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-4-300x297.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-4-150x150.png 150w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-4-50x50.png 50w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-4-65x65.png 65w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-4-220x218.png 220w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-4-66x66.png 66w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-4-60x60.png 60w " sizes="(max-width: 532px) 100vw, 532px" /></p>
<p>We can see that for each string it allocates a new dynamic buffer, it copies the string to it to then decode it.</p>
<p>It seems that the implementation for dynamic import resolution slightly varies in comparison to the one used in <a href="https://github.com/chokepoint/azazel/blob/master/config.py" target="_blank" rel="noopener nofollow noreferrer">Azazel</a> rootkit.</p>
<p>When we wrote the script to simulate the cipher that implements the string decoding function we observed the following algorithm:</p>
<p><img loading="lazy" class="alignnone wp-image-4405" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-072903_318x253_scrot.png" alt="When we wrote the script to simulate the cipher that implements the string decoding function we observed the following algorithm:" width="318" height="253" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-072903_318x253_scrot.png 318w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-072903_318x253_scrot-300x239.png 300w " sizes="(max-width: 318px) 100vw, 318px" /></p>
<p>We recognized that a similar algorithm to the one above was used in the past by <a href="https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/scanner.c#L963" target="_blank" rel="noopener nofollow noreferrer">Mirai</a>, implying that authors behind this rootkit may have ported and modified some code from Mirai.</p>
<p><img loading="lazy" width="483" height="407" class="wp-image-4422" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-073253_483x407_scrot.png" alt="2019 05 23 073253 483x407 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-073253_483x407_scrot.png 483w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-073253_483x407_scrot-300x253.png 300w " sizes="(max-width: 483px) 100vw, 483px" /></p>
<p>After the rootkit main object has been loaded into the address space of a given process and has decrypted its strings, it will export the functions that are intended to be hooked. We can see these exports to be the following:</p>
<p><img loading="lazy" class="alignnone wp-image-4426" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-8.png" alt="rootkit" width="484" height="402" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-8.png 484w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-8-300x249.png 300w " sizes="(max-width: 484px) 100vw, 484px" /></p>
<p>For every given export, the rootkit will hook and implement a specific operation accordingly, although they all have a similar layout. Before the original hooked function is called, it is checked whether the environment variable ‘I_AM_HIDDEN’ is set:</p>
<p><img loading="lazy" width="796" height="779" class="wp-image-4420" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-27-074838_796x779_scrot.png" alt="2019 05 27 074838 796x779 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-27-074838_796x779_scrot.png 796w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-27-074838_796x779_scrot-300x294.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-27-074838_796x779_scrot-768x752.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-27-074838_796x779_scrot-50x50.png 50w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-27-074838_796x779_scrot-65x65.png 65w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-27-074838_796x779_scrot-66x66.png 66w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-27-074838_796x779_scrot-60x60.png 60w " sizes="(max-width: 796px) 100vw, 796px" /></p>
<p>We can see an example of how the rootkit hooks the function fopen in the following screenshot:</p>
<p><img loading="lazy" width="847" height="623" class="wp-image-4399" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-081200_847x623_scrot.png" alt="2019 05 23 081200 847x623 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-081200_847x623_scrot.png 847w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-081200_847x623_scrot-300x221.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-081200_847x623_scrot-768x565.png 768w " sizes="(max-width: 847px) 100vw, 847px" /></p>
<p>We have observed that after checking whether the ‘I_AM_HIDDEN’ environment variable is set, it then runs a function to hide all the rootkits’ and trojans’ artifacts. In addition, specifically to the fopen function it will also check whether the file to open is ‘/proc/net/tcp’ and if it is it will attempt to hide the malware’s connection to the cnc by scanning every entry for the destination or source ports used to communicate with the cnc, in this case 61061. This is also the default port in <a href="https://github.com/chokepoint/azazel/blob/master/config.py" target="_blank" rel="noopener nofollow noreferrer">Azazel </a>rootkit.</p>
<p><img loading="lazy" width="569" height="553" class="wp-image-4429" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-081703_569x553_scrot.png" alt="2019 05 23 081703 569x553 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-081703_569x553_scrot.png 569w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-081703_569x553_scrot-300x292.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-081703_569x553_scrot-50x50.png 50w " sizes="(max-width: 569px) 100vw, 569px" /></p>
<p>The rootkit primarily implements artifact hiding mechanisms as well as tcp connection hiding as previously mentioned. Overall functionality of the rootkit can be illustrated in the following diagram:</p>
<p><img loading="lazy" width="402" height="428" class="wp-image-4413" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-6.png" alt="pasted image 0 6" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-6.png 402w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-6-282x300.png 282w " sizes="(max-width: 402px) 100vw, 402px" /></p>
<p><strong>2.3 The Trojan:</strong></p>
<p>The trojan comes in the form of a statically linked ELF binary linked with stdlibc++. We noticed that the trojan has code connections with ChinaZ’s Elknot implant in regards to some common MD5 implementation in one of the statically linked libraries it was linked with:</p>
<p><img loading="lazy" width="942" height="684" class="wp-image-4404" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-2.png" alt="pasted image 0 2" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-2.png 942w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-2-300x218.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-2-768x558.png 768w " sizes="(max-width: 942px) 100vw, 942px" /></p>
<p>In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from Elknot that could have been shared in Chinese hacking forums:</p>
<p><img loading="lazy" width="629" height="580" class="wp-image-4427" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-22-182452_629x580_scrot.png" alt="2019 05 22 182452 629x580 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-22-182452_629x580_scrot.png 629w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-22-182452_629x580_scrot-300x277.png 300w " sizes="(max-width: 629px) 100vw, 629px" /></p>
<p>When we analyze the main we noticed that the first action the trojan takes is to retrieve its configuration:</p>
<p><img loading="lazy" width="694" height="669" class="wp-image-4417" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-162703_694x669_scrot.png" alt="2019 05 23 162703 694x669 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-162703_694x669_scrot.png 694w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-162703_694x669_scrot-300x289.png 300w " sizes="(max-width: 694px) 100vw, 694px" /></p>
<p>The malware configuration is appended at the end of the file and has the following structure:</p>
<p><img loading="lazy" class="alignnone wp-image-4454 size-full" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-28-195155_776x314_scrot.png" alt="" width="776" height="314" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-28-195155_776x314_scrot.png 776w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-28-195155_776x314_scrot-300x121.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-28-195155_776x314_scrot-768x311.png 768w " sizes="(max-width: 776px) 100vw, 776px" /></p>
<p>The malware will try to load itself from the disk and parse this blob to then retrieve the static encrypted configuration.</p>
<p><img loading="lazy" width="602" height="688" class="wp-image-4437" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-162730_602x688_scrot.png" alt="2019 05 23 162730 602x688 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-162730_602x688_scrot.png 602w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-162730_602x688_scrot-263x300.png 263w " sizes="(max-width: 602px) 100vw, 602px" /></p>
<p>Once encryption configuration has been successfully retrieved the configuration will be decoded and then parsed as json.</p>
<p>The cipher used to encode and decode the configuration is the following:</p>
<p><img loading="lazy" width="1073" height="533" class="wp-image-4414" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-162515_1073x533_scrot.png" alt="2019 05 23 162515 1073x533 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-162515_1073x533_scrot.png 1073w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-162515_1073x533_scrot-300x149.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-162515_1073x533_scrot-1024x509.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-162515_1073x533_scrot-768x381.png 768w " sizes="(max-width: 1073px) 100vw, 1073px" /></p>
<p>This cipher seems to be an RC4 alike algorithm with an already computed PRGA generated key-stream. It is important to note that this same cipher is used later on in the network communication protocol between trojan clients and their CNCs.</p>
<p>After the configuration is decoded the following json will be retrieved:</p>
<p><img loading="lazy" width="547" height="332" class="wp-image-4435" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-165252_547x332_scrot.png" alt="2019 05 23 165252 547x332 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-165252_547x332_scrot.png 547w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-165252_547x332_scrot-300x182.png 300w " sizes="(max-width: 547px) 100vw, 547px" /></p>
<p>Moreover, if the file is running as root, the malware will attempt to change the default location of the dynamic linker’s LD_PRELOAD path. This location is usually at /etc/ld.so.preload, however there is always a possibility to patch the dynamic linker binary to change this path:</p>
<p><img loading="lazy" width="589" height="343" class="wp-image-4419" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-165828_589x343_scrot.png" alt="2019 05 23 165828 589x343 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-165828_589x343_scrot.png 589w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-165828_589x343_scrot-300x175.png 300w " sizes="(max-width: 589px) 100vw, 589px" /></p>
<p>Patch_ld function will scan for any existent /lib paths. The scanned paths are the following:</p>
<p><img loading="lazy" width="539" height="146" class="wp-image-4415" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-171459_539x146_scrot.png" alt="2019 05 23 171459 539x146 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-171459_539x146_scrot.png 539w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-171459_539x146_scrot-300x81.png 300w " sizes="(max-width: 539px) 100vw, 539px" /></p>
<p>The malware will attempt to find the dynamic linker binary within these paths. The dynamic linker filename is usually prefixed with ld-&lt;version number&gt;.</p>
<p><img loading="lazy" width="538" height="442" class="wp-image-4423" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-171605_538x442_scrot.png" alt="2019 05 23 171605 538x442 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-171605_538x442_scrot.png 538w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-171605_538x442_scrot-300x246.png 300w " sizes="(max-width: 538px) 100vw, 538px" /></p>
<p>Once the dynamic linker is located, the malware will find the offset where the /etc/ld.so.preload string is located within the binary and will overwrite it with the path of the new target preload path, that one being /sbin/.ifup-local.</p>
<p><img loading="lazy" width="614" height="151" class="wp-image-4412" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-171714_614x151_scrot.png" alt="2019 05 23 171714 614x151 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-171714_614x151_scrot.png 614w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-171714_614x151_scrot-300x74.png 300w " sizes="(max-width: 614px) 100vw, 614px" /></p>
<p>To achieve this patching it will execute the following formatted string by using the xxd hex editor utility by previously having encoded the path of the rootkit in hex:</p>
<p><img loading="lazy" width="752" height="79" class="wp-image-4439" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-172157_752x79_scrot.png" alt="2019 05 23 172157 752x79 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-172157_752x79_scrot.png 752w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-172157_752x79_scrot-300x32.png 300w " sizes="(max-width: 752px) 100vw, 752px" /></p>
<p>Once it has changed the default LD_PRELOAD path from the dynamic linker it will deploy a thread to enforce that the rootkit is successfully installed using the new LD_PRELOAD path. In addition, the trojan will communicate with the rootkit via the environment variable ‘I_AM_HIDDEN’ to serialize the trojan’s session for the rootkit to apply evasion mechanisms on any other sessions.</p>
<p><img loading="lazy" width="1080" height="583" class="wp-image-4428" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-172825_1080x583_scrot.png" alt="2019 05 23 172825 1080x583 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-172825_1080x583_scrot.png 1080w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-172825_1080x583_scrot-300x162.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-172825_1080x583_scrot-1024x553.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-172825_1080x583_scrot-768x415.png 768w " sizes="(max-width: 1080px) 100vw, 1080px" /></p>
<p>After seeing the rootkit’s functionality, we can understand that the rootkit and trojan work together in order to help each other to remain persistent in the system, having the rootkit attempting to hide the trojan and the trojan enforcing the rootkit to remain operational. The following diagram illustrates this relationship:</p>
<p><img loading="lazy" width="502" height="389" class="wp-image-4406" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-3.png" alt="pasted image 0 3" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-3.png 502w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-3-300x232.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-3-310x240.png 310w " sizes="(max-width: 502px) 100vw, 502px" /></p>
<p>Continuing with the execution flow of the trojan, a series of functions are executed to enforce evasion of some artifacts:</p>
<p><img loading="lazy" width="514" height="329" class="wp-image-4438" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-173455_514x329_scrot.png" alt="2019 05 23 173455 514x329 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-173455_514x329_scrot.png 514w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-173455_514x329_scrot-300x192.png 300w " sizes="(max-width: 514px) 100vw, 514px" /></p>
<p>These artifacts are the following:</p>
<p><img loading="lazy" width="619" height="157" class="wp-image-4410" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-23-173529_619x157_scrot.png" alt="2019 05 23 173529 619x157 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-173529_619x157_scrot.png 619w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-23-173529_619x157_scrot-300x76.png 300w " sizes="(max-width: 619px) 100vw, 619px" /></p>
<p>By performing some OSINT regarding these artifact names, we found that they belong to a Chinese open-source rootkit for Linux known as <a href="https://github.com/yaoyumeng/adore-ng" target="_blank" rel="noopener nofollow noreferrer">Adore-ng</a> hosted in GitHub:</p>
<p><img loading="lazy" width="902" height="454" class="wp-image-4430" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-9.png" alt="pasted image 0 9" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-9.png 902w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-9-300x151.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-9-768x387.png 768w " sizes="(max-width: 902px) 100vw, 902px" /></p>
<p>The fact that these artifacts are being searched for suggests that potentially targeted Linux systems by these implants may have already been compromised with some variant of this open-source rootkit as an additional artifact in this malware’s infrastructure. Although those paths are being searched for in order to hide their presence in the system, it is important to note that none of the analyzed artifacts related to this malware are installed in such paths.</p>
<p>This finding may imply that the target systems this malware is aiming to intrude may be already known compromised targets by the same group or a third party that may be collaborating with the same end goal of this particular campaign.</p>
<p>Moreover, the trojan communicated with a simple network protocol over TCP. We can see that when connection is established to the Master or Stand-By servers there is a handshake mechanism involved in order to identify the client.</p>
<p><img loading="lazy" width="610" height="411" class="wp-image-4436" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-24-005754_610x411_scrot.png" alt="2019 05 24 005754 610x411 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-005754_610x411_scrot.png 610w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-005754_610x411_scrot-300x202.png 300w " sizes="(max-width: 610px) 100vw, 610px" /></p>
<p>With the help of this function we where able to understand the structure of the communication protocol employed. We can illustrate the structure of this communication protocol by looking at a pcap of the initial handshake between the server and client:</p>
<p><img loading="lazy" width="721" height="482" class="wp-image-4424" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-7.png" alt="pasted image 0 7" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-7.png 721w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-7-300x201.png 300w " sizes="(max-width: 721px) 100vw, 721px" /></p>
<p>We noticed while analyzing this protocol that the Reserved and Method fields are always constant, those being 0 and 1 accordingly. The cipher table offset represents the offset in the hardcoded key-stream that the encrypted payload was encoded with. The following is the fixed keystream this field makes reference to:</p>
<p><img loading="lazy" class="alignnone wp-image-4457 size-full" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-29-164756_1179x415_scrot.png" alt="" width="1179" height="415" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-29-164756_1179x415_scrot.png 1179w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-29-164756_1179x415_scrot-300x106.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-29-164756_1179x415_scrot-1024x360.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-29-164756_1179x415_scrot-768x270.png 768w " sizes="(max-width: 1179px) 100vw, 1179px" /></p>
<p>After decrypting the traffic and analyzing some of the network related functions of the trojan, we noticed that the communication protocol is also implemented in json format. To show this, the following image is the decrypted handshake packets between the CNC and the trojan:</p>
<p><img loading="lazy" width="892" height="114" class="wp-image-4400" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-24-022934_892x114_scrot.png" alt="2019 05 24 022934 892x114 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-022934_892x114_scrot.png 892w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-022934_892x114_scrot-300x38.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-022934_892x114_scrot-768x98.png 768w " sizes="(max-width: 892px) 100vw, 892px" /></p>
<p>After the handshake is completed, the trojan will proceed to handle CNC requests:</p>
<p><img loading="lazy" width="974" height="507" class="wp-image-4397" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/2019-05-24-023211_974x507_scrot.png" alt="2019 05 24 023211 974x507 scrot" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-023211_974x507_scrot.png 974w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-023211_974x507_scrot-300x156.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/2019-05-24-023211_974x507_scrot-768x400.png 768w " sizes="(max-width: 974px) 100vw, 974px" /></p>
<p>Depending on the given requests the malware will perform different operations accordingly. An overview of the trojan’s functionalities performed by request handling are shown below:</p>
<p><img loading="lazy" width="511" height="561" class="wp-image-4411" src="https://149520725.v2.pressablecdn.com//wp-content/uploads/2019/05/pasted-image-0-5.png" alt="pasted image 0 5" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-5.png 511w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/pasted-image-0-5-273x300.png 273w " sizes="(max-width: 511px) 100vw, 511px" /><br />
<strong>2.3. Prevention and Response</strong></p>
<p><strong>Prevention: </strong>Block Command-and-Control IP addresses detailed in the IOCs section.</p>
<p><strong>Response:</strong> We have provided a <a href="https://github.com/intezer/yara-rules/blob/master/HiddenWasp.yar" target="_blank" rel="noopener noreferrer">YARA rule</a> intended to be run against in-memory artifacts in order to be able to detect these implants.</p>
<p>In addition, in order to check if your system is infected, you can search for “ld.so” files — if any of the files do not contain the string ‘/etc/ld.so.preload’, your system may be compromised. This is because the trojan implant will attempt to patch instances of ld.so in order to enforce the LD_PRELOAD mechanism from arbitrary locations.</p>
<p><strong>4. Summary </strong></p>
<p>We analyzed every component of HiddenWasp explaining how the rootkit and trojan implants work in parallel with each other in order to enforce persistence in the system.</p>
<p>We have also covered how the different components of HiddenWasp have adapted pieces of code from various open-source projects. Nevertheless, these implants managed to remain undetected.</p>
<p>Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.</p>
<p>Linux malware will continue to become more complex over time and currently even common threats do not have high detection rates, while more sophisticated threats have even lower visibility.<strong>        </strong></p>
<p><strong>IOCs</strong></p>
<p><strong><br />
</strong>103.206.123[.]13<br />
103.206.122[.]245<br />
http://103.206.123[.]13:8080/system.tar.gz<br />
http://103.206.123[.]13:8080/configUpdate.tar.gz<br />
http://103.206.123[.]13:8080/configUpdate-32.tar.gz<br />
e9e2e84ed423bfc8e82eb434cede5c9568ab44e7af410a85e5d5eb24b1e622e3<br />
f321685342fa373c33eb9479176a086a1c56c90a1826a0aef3450809ffc01e5d<br />
d66bbbccd19587e67632585d0ac944e34e4d5fa2b9f3bb3f900f517c7bbf518b<br />
0fe1248ecab199bee383cef69f2de77d33b269ad1664127b366a4e745b1199c8<br />
2ea291aeb0905c31716fe5e39ff111724a3c461e3029830d2bfa77c1b3656fc0<br />
d596acc70426a16760a2b2cc78ca2cc65c5a23bb79316627c0b2e16489bf86c0<br />
609bbf4ccc2cb0fcbe0d5891eea7d97a05a0b29431c468bf3badd83fc4414578<br />
8e3b92e49447a67ed32b3afadbc24c51975ff22acbd0cf8090b078c0a4a7b53d<br />
f38ab11c28e944536e00ca14954df5f4d08c1222811fef49baded5009bbbc9a2<br />
8914fd1cfade5059e626be90f18972ec963bbed75101c7fbf4a88a6da2bc671b</p>
<div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/01/eJRF6CeP_400x400-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Ignacio Sanmillan</strong><div class="share-author"><a href="https://twitter.com/ulexec" target="_blank" class="twitter-link"><i class="fa fa-twitter" aria-hidden="true"></i></a><a href="https://il.linkedin.com/in/ignacio-sanmillan-1aa244b8" target="_blank" class="linkedin-link"><i class="fa fa-linkedin" aria-hidden="true"></i></a></div><p>Nacho is a security researcher specializing in reverse engineering and malware analysis. Nacho plays a key role in Intezer\'s malware hunting and investigation operations, analyzing and documenting new undetected threats. Some of his latest research involves detecting new Linux malware and finding links between different threat actors. Nacho is an adept ELF researcher, having written numerous papers and conducting projects implementing state-of-the-art obfuscation and anti-analysis techniques in the ELF file format.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/code-reuse/" rel="tag">code reuse</a> <a href="https://www.intezer.com/tag/hiddenwasp/" rel="tag">HiddenWasp</a> <a href="https://www.intezer.com/tag/linux/" rel="tag">Linux</a> <a href="https://www.intezer.com/tag/malware/" rel="tag">malware</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/cloud-security/technical-analysis-cryptocurrency-mining-war-on-the-cloud/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/cloud-security/technical-analysis-cryptocurrency-mining-war-on-the-cloud/" rel="prev">Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud</a></h4></div></div><div class="next-post"><a href="https://www.intezer.com/blog/malware-analysis/chinese-apts-rising-ia-community-may-2019/" rel="next"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/malware-analysis/chinese-apts-rising-ia-community-may-2019/" rel="next">Chinese APTs Rising: Key Takeaways from the Intezer Analyze Community in May</a></h4></div></div></nav>        <div class="related-posts">
            <h3>Recommended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/lightning-linux-threat-blog-1-253x139.png" alt="Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware &#x26a1;" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 7</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/">Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware &#x26a1;</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular...</span>	
                    <span class="post-date">21 July 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/07/OrBit-malware-blog-cover-graphic-1-253x139.png" alt="OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 10</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/">OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Linux is a popular operating system for servers and cloud infrastructures, and as such...</span>	
                    <span class="post-date">6 July 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/alert-triage/the-zero-trust-approach-for-your-alert-haystack/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/05/threats-in-an-alert-overload-haystack-253x139.png" alt="A Straw-by-Straw Analysis: The Zero-Trust Approach for Your Alert Haystack" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 6</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/alert-triage/the-zero-trust-approach-for-your-alert-haystack/">A Straw-by-Straw Analysis: The Zero-Trust Approach for Your Alert Haystack</a>
                    </h4>
					
						
				                    <span class="post-excerpt">One of the greatest challenges security operations center (SOC) teams face is the high...</span>	
                    <span class="post-date">22 June 2022</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');


	
	  $("input.email").focus(function() {
          $(".cf-field").addClass("show");
        });

	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
});

		
		 var blogbtn = $('div.blog-side-subscribe').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
//$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
	//$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" width="95" height="24" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Autonomous SecOps</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Cloud Workload Protection</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
</ul>                    </div>
					
	
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2022 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>
                </div> 
						
            </div>       
        </div>

        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 130;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
if(toppopheight>0)
   {nav.css({ top: toppopheight+12 });}
		
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   <script   type='text/javascript' src='https://c0.wp.com/c/6.0.1/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/6.0.1/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.6' id='contact-form-7-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.6.0' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.13.58"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress&#038;ver=8.13.58' async defer id='hs-script-loader'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=a64767dca95350331dd63d1543147965' id='tether_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=a64767dca95350331dd63d1543147965' id='bootstrap_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=a64767dca95350331dd63d1543147965' id='intezer-main-scripts-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/external/simplebar.js?ver=4751' id='wd-asl-scroll-simple-js'></script>
<script   type='text/javascript' id='wd-asl-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.asl_url = "https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/"; window.ASL.detect_ajax = 0; window.ASL.media_query = 4751; window.ASL.version = 4751; window.ASL.pageHTML = ""; window.ASL.additional_scripts = [{"handle":"wd-asl-scroll-simple","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/external\/simplebar.js","prereq":false},{"handle":"wd-asl-ajaxsearchlite","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-prereq.js","prereq":[]},{"handle":"wd-asl-ajaxsearchlite-core","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-core.js","prereq":[]},{"handle":"wd-asl-ajaxsearchlite-vertical","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-results-vertical.js","prereq":["wd-asl-ajaxsearchlite"]},{"handle":"wd-asl-ajaxsearchlite-load","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-load.js","prereq":["wd-asl-ajaxsearchlite-vertical"]}]; window.ASL.script_async_load = false; window.ASL.scrollbar = true; window.ASL.css_async = false; window.ASL.js_retain_popstate = 0; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-prereq.js?ver=4751' id='wd-asl-ajaxsearchlite-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-core.js?ver=4751' id='wd-asl-ajaxsearchlite-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-results-vertical.js?ver=4751' id='wd-asl-ajaxsearchlite-vertical-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-load.js?ver=4751' id='wd-asl-ajaxsearchlite-load-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-wrapper.js?ver=4751' id='wd-asl-ajaxsearchlite-wrapper-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.2' id='wpcf7cf-scripts-js'></script>
<script   type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.6' id='wpcf7-recaptcha-js'></script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202229.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:11.2-a.5',blog:'186808338',post:'4440',tz:'-4',srv:'www.intezer.com',hp:'atomic',ac:'3',amp:'0'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '4440' ]);
</script>
<noscript><link rel="stylesheet" href="https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=11.2-a.5" media="all" /></noscript>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">Launching Autonomous SecOps: Your Virtual, Algorithm-Driven Tier 1 SOC Team</span><span class="mobile-title">Launching Autonomous SecOps: Your Virtual, Algorithm-Driven Tier 1 SOC Team</span>&nbsp;<a class="top-bar-link" href="https://www.intezer.com/blog/incident-response/autonomous-secop-virtual-tier-1-soc-team/">Learn more</a></div></div>        
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>

<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>

<script>
  window.addEventListener('load', function() {

    if (window.location.pathname == '/create-account/created') {
      gtag('event', 'conversion', {
        'send_to': 'AW-725468766/6LItCJ7G_awDEN6M99kC'
      });

    }



  });

</script>

    </body>
</html>
<!--
	generated in 0.678 seconds
	144257 bytes batcached for 300 seconds
-->
